Public authentication

Public authentication is a a simple token-based authentication mechanism. It can be used together with standard signature authentication to allow public access to specific endpoints. Access can also be restricted to specific IP addresses.

To enable public authentication, a Fluid team member will provide a PublicID - a GUID string ID which is associated uniquely with an app. Public requests submit the PublicID to the API either as an HttpHeader, or a URL querystring parameter:

PublicID Request Header

curl -H "PublicID: c13c087f-a0ba-4916-aa6c-321edfb05dce" ... https://api.dialogportal.com/v1/user/authenticate

PublicID Querystring Parameter

https://api.dialogportal.com/v1/user/authenticate?PublicID=c13c087f-a0ba-4916-aa6c-321edfb05dce

Public requests from IP addresses which have not been approved will fail with HttpStatusCode 401, including an extra response header ApiStatusSubCode: 401.31

PublicID Expiry

PublicIDs can be expired just like App Secrets can: see App Secret expiry. As with App Secret expiry, the PublicID can either be expired immediately, or at some time in the future. When the expiry date is in the future, any API request will receive an extra response header PublicIDExpires, containing the expiry date in UTC format, e.g. PublicIDExpires: 2020-04-01T05:00:00Z.

When the expiry date has passed, API requests will fail with HttpStatusCode 401, including an extra response header ApiStatusSubCode: 401.30